So; the scenario is this…
Run the script in a powershell window and launch Adobe Acrobat (reader or Pro) and it will create an object with “MainWindowTitle” properly. It will even do so when ran as SYSTEM.
If you take this script and turn it into a Windows Service (Running as Local System), the MainWindowTitle property does not get returned.
At this point I’m just trying to find out why, and see if maybe someone else has a recommendation.
function Enable-ProcessTrace {
$SNID = (Get-Ciminstance -class win32_bios).SerialNumber
$QueueFolder = “C:\Temp\Queue”
$Query = “Select * From __InstanceCreationEvent within 3 Where TargetInstance ISA ‘Win32_Process’ AND TargetInstance.Name = ‘Acrobat.exe’”
$Identifier = “StartProcess”
$Messagedata = [PSCustomObject]@{
snid = $SNID
QueueFolder = $QueueFolder
}
$ActionBlock = {
$QueueFolder = $Event.MessageData.QueueFolder
$SNID = $Event.MessageData.SNID
$e = $event.SourceEventArgs.NewEvent.TargetInstance
$ProcessID = $E.ProcessID
$Process = (Get-Process -Id $ProcessID -IncludeUserName)
$eventObj = [PSCustomObject]@{
AppTitle = $Process.MainWindowTitle
Name = $E.Name
ID = $E.ProcessID
Type = “Process”
Path = $E.ExecutablePath
Username = $Process.Username
CommandLine = $E.CommandLine
snID = $SNID
Timestamp = Get-Date
}
$Data = $EventObj | ConvertTo-Json
$Data | Out-File “$QueueFolder$((New-Guid).Guid).json”
}
Register-WMIEvent -Query $Query -SourceIdentifier $Identifier -Action $ActionBlock -messagedata $Messagedata
}
Enable-ProcessTrace